Vulnerability
Intel NetStructure
Affected
Intel NetStructure 7110 (previously the Ipivot Commerce Accelerator 1000)
Description
Following is based on L0pht Research Labs Advisory. The
NetStructure 7110 can be compromised via the admin console even
after the admin password has been changed. An undocumented
command list exists known as 'wizard' mode. Through this mode
there is a password that overides the admin password and allows
full access to the internal components of the NetStructure 7110.
This password can be used from within the admin command line
interface or to overide the admin password at an initial login
prompt.
This undocumented shell password is derived from the primary
ethernet MAC address of the NetStructure 7110. During the boot
process and before every login, the serial number (the primary
ethernet MAC address), is presented to the user on the console
port. Running the MAC address into our Ipivot password generator
will supply the user with a default shell password. The
mechanism to change this shell password is undocumented as well.
The shell password gains the console operator root privleges on
the Ipivot with access to gdb, tcpdump, among other utilities and
xmodem to upload other tools.
The NetStructure 7110, was originally a product of Ipivot, and
named the Ipivot Commerce Accelerator 1000. The oversight affects
NetStructure 7110 as shipped in April 2000.
-The administrator password is overridden by an undocumented
shell password.
-The shell password is derived from the primary ethernet MAC
address of the NetStructure 7110.
-In most of the command interface for the NetStructure 7110,
interrupts are ignored. However, the password prompt section
does not block interrupts. When an interrupt is received in
this section, the initial login banner is re-displayed. This
banner contains the ethernet address of the machine. This
banner is also displayed after power-cycling or when exiting
a valid session.
-The method to change the shell password is undocumented.
-Additionally, The shell password is recoverable from the
'admin' account. The running configuration file does not
contain an explicit entry for the shell password. Thus,
initial runs of the 'show config' do not display any elements
referencing the shell password. However, by attempting to
change the shell password via the 'shpass' command, the entry
is created. This happens even if the attempt to change the
password failed. Subsequent calls to 'show config' will now
show the shell password. The steps to recreate this follow:
1. enter wizard mode by typing 'wizard'
2. attempt to change the shell password via the 'shpass'
command.
3. show the new config via the 'show config' command
This leaves all Ipivot/NetStructure 7110's with an undocumented
backdoor which can be accessed through the console port, gaining
the unauthorized user root privledges on the box, above those
privledges granted to the admin password holder. A few data
points make this problem particularly disturbing:
- The Ipivot is the device converting https (encrypted) to
http (unencrypted).
- Network sniffing utilities are installed on the Ipivot by
default.
- The secret material that the password is derived from (the
ethernet address) can be forced to be displayed at the login
prompt.
- The console port is recommended to be hooked up to a modem
in order to perform remote management.
L0pht will make the proof of concept tools available 5-15-2000 to
independently verify and address the problem. PalmOS prc and
unix source available at:
http://www.l0pht.com/advisories/ipivot.tar.gz
Solution
1. Change the admin password after the first login.
2. Next, Type 'wizard'. You are now in an undocumented command
mode.
3. Type 'shpass' and change the shell password. Warning: Do not
set the shell password to the same as the cli password.
4. Type 'config save'.
The wizard mode has been known in the computer security community
for many months.
As a result of this advisory Intel has:
1. Setup a security-info mail account which one can notify
Intel of security issues on their product, where one
previously did not exist.
2. Provided patches for all customers at the following URL:
http://216.188.41.136
or through an 800 number for customers with maintenance
agreements.